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Abstract 


An  inverted  pendulum  has  been  used  as  the  controlled  device  in  a  prototype  real-time  control 
system  employing  the  Simplex™  architecture.  In  this  report,  we  address  the  control  issues  of 
such  a  system  in  an  analytic  way.  In  particular,  an  analytic  model  of  the  system  is  derived; 
control  algorithms  are  designed  for  the  baseline  control,  experimental  control  and  safety  con¬ 
trol  based  on  the  concept  of  analytic  redundancy;  the  safety  region  is  obtained  as  the  stability 
region  of  the  system  under  the  safety  control;  and  the  control  switching  logic  is  established  to 
provide  fault  tolerant  functionality.  Finally,  the  results  obtained  and  the  lessons  learned  are 
summarized,  and  future  work  is  discussed. 


™  Simplex  is  a  trademark  of  Carnegie  Mellon  University. 
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1  Introduction 


An  inverted  pendulum  has  been  used  as  a  controlled  device  in  a  prototype  control  system 
employing  the  Simplex  architecture.  As  shown  in  Figure  1,  the  physical  system  consists  of  a 
cart,  driven  by  a  DC  motor,  and  a  pendulum  attached  to  the  cart.  The  cart  can  move  along  a 
horizontal  track,  and  the  pendulum  is  able  to  rotate  freely  in  the  range  of  [-30°  ,30°  ]  with 
respect  to  vertical  in  the  vertical  plane  parallel  to  the  track.  There  is  no  direct  control  applied 
to  the  pendulum.  Both  the  position  of  the  cart  x  and  the  angle  6  are  measurable  through  two 
potentiometers.  The  dynamics  of  the  system  are  described  by  the  state  of  the  system,  which 
consists  of  the  cart  position  x,  the  cart  velocity  x ,  the  pendulum  angle#,  and  the  pendulum 
angular  velocity  Q .  The  physical  system  has  state  and  control  constraints.  Specifically,  the 
cart  position  is  restricted  in  the  range  [-0.7, 0.7]  meters,  the  maximum  speed  of  the  cart  is  1.0 

meter/second,  the  angle  is  constrained  to  the  range  [—30°  ,30°  ] ,  and  the  motor  input  voltage  is 
limited  in  the  range  [-4.96, 4.96]  volts. 


Figure  1:  An  Inverted  Pendulum  Control  System 

The  control  objective  of  the  inverted  pendulum  system  is  to  move  the  cart  from  one  position 
to  another  along  the  track  with  the  pendulum  standing  still  at  the  upright  position,  i.e.,  6~  0 . 
Since  the  equilibrium  at  6-  0  is  unstable,  such  control  objective  has  to  be  achieved  while 
maintaining  the  stability  of  the  system.  As  the  DC  motor  has  only  limited  power  and  the  track 
has  finite  length,  there  exist  certain  states  of  the  physical  system  from  which  the  pendulum 
cannot  be  steered  back  to  the  upright  position.  Therefore,  the  notion  of  a  safety  region  will  be 
introduced  to  characterize  a  subset  of  the  system  state  from  which  the  system  stability  can 
always  be  maintained. 

The  report  is  organized  as  follows.  In  Section  2,  we  derive  an  analytic  model  for  the  inverted 
pendulum  control  system.  In  Section  3,  the  control  system’s  primary  objective  of  stabilization 
is  presented  and  the  notion  of  analytically  redundant  controllers  is  defined.  Control  algo¬ 
rithms  are  designed  for  the  baseline  controller,  the  experimental  controller,  and  the  safety 
controller  based  on  the  concept  of  analytic  redundancy  in  the  sense  that  all  the  controllers 
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will  achieve  the  control  objective,  but  they  will  result  in  different  system  performance  and 
stability  regions.  Practical  issues  in  the  implementation  of  the  controllers  are  discussed.  In 
Section  4,  the  safety  region  is  defined  and  the  safety  criterion  of  the  physical  system  is  de¬ 
scribed.  A  control  switching  logic  is  established  to  tolerate  the  timing  and  semantic  faults. 
The  report  is  concluded  in  Section  5  with  discussions  of  the  lessons  learned  and  future  work 
on  real-time  control  systems  employing  the  Simplex  architecture. 


2 
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2  An  Analytic  Model  of  Inverted  Pendulum 
System 


A  complete  analytic  model  of  the  inverted  pendulum  controlled  by  a  DC  motor  is  derived  in 
three  parts,  the  pendulum-cart  dynamics,  the  friction  model,  and  the  motor  dynamics.  Details 
are  given  below. 


Pendulum-cart  dynamics:  Euler-Lagrange  Equation 


Let  M  and  m  be  the  masses  of  the  cart  and  pendulum,  l  be  the  length  of  the  pendulum,  F  be 
the  motor  force  applied  to  the  cart,  and/c  and^  are  the  friction  on  the  cart  and  on  the  pendu¬ 
lum,  respectively.  The  kinetic  energy  of  the  cart  is  Kc  =  Mx  /  2  and  the  potential  energy  of 

the  cart  is  zero  with  respect  to  a  properly  chosen  reference.  For  the  pendulum,  consider  a 
small  portion  with  mass  dm  located  at  qe  [0,/]  as  shown  in  Figure  2. 


Figure  2:  A  Small  Portion  of  the  Pendulum 

Then  we  have 

\xdm  =  x  +  qsin0  \xdm  =  x  +  qcos00 

1>W  =4C0S#  \ydm=-qsin09 

kinetic  energy  of  dm: 

Kdm  =^dtn(xdm  +y2dm)  =  ^ dm(x 2  +  2q  cos  6x6  +  q2e2 ) 
and  the  potential  energy  of  dm: 

Pdm=dmgq  cos6 


CMU/SEI-99-TR-023 


3 


where  dm  =  pdq  and  p  is  the  mass  per  unit  length  of  the  pendulum.  The  total  kinetic  energy 
and  potential  energy  of  the  pendulum  can  be  obtained  by  integrating  Kdm  and  Pdm  from  0  to 

/.  Doing  so,  we  obtain  the  total  kinetic  energy  K  and  the  potential  energy  P  of  the  overall 
system  given  by 


K  =  Kc  +  K p  =— (M  +  m)x2  +  —  mlcosOxO +— ml202,  P  =  —  mglcosO 
2  2  6  2 


and  the  resulting  Lagrangian: 


L  =  K  -  P  =  —{M  +  m)x 1  +  —  mlcosdxd+— ml2d2  -—mglcosd 
2  2  6  2 


Then  the  Euler-Lagrange  equations 

d  <9L  dL  _  p,  d  dL  dL  _ 
dt  dx  dx  c  ’  dt  dO  dO  p 


yield  the  equations  of  motion: 


(m  +  M)x  +— mlcosOO  — — mlsinOO2  =  F  -  f 
2  2  Jc 

1  1-1 

— ml  cosOx +— ml2  6 - mgl  sin  0=  —  f 

2  3  2  Jp 


(1) 


Friction  Model 

We  assume  that  both  static  friction  and  viscosity  friction  act  on  the  cart  and  the  pendulum 
joint.  These  frictions  are  described  by  the  following  functions: 

fc  =  sgn(x)Axe~CM  +  Bxx,  fp  =  sgn (O)A0e~Ca'm  +  Be0  (2) 

with  Ax,Bx,Cx,Ae,B0,Cff  > 0 .  Friction  fc  is  depicted  in  Figure  3. 
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where 

La  -  armature  inductance  Tm  -  motor  torque  (no  load)  Kt  -  torque  constant 

Ra  -  armature  resistance  7)  -  load  torque  Kb  -  back-emf  constant 

la  -  armature  current  a>  -  motor  angular  velocity  Kg  -  gear  ratio 

r  -  driving  wheel  radius  7m -rotor  inertia  of  motor  .  back  emf. 

Va  -  armature  voltage  Bm  -  viscous  friction  coefficient  p .  force  t0  the  cart 

Then  the  motor  dynamics  can  be  expressed  in  terms  of  I a ,  x,  and  force  F  as 


Laia+RaIa+^^x  =  Va 
r 

KgJ m  ..  KgBm  KiKg 


Finally,  by  combining  Eqs  (l)-(3),  we  arrive  at  a  complete  model  of  the  inverted  pendulum 
control  system  with  the  control  variable  Va : 
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where 


(m  +  M  H — ^r— )ic  +— ml  cos  06  4 — — 


2  '  n -  2 

r  2  r 


— - — 1  „ - ml  sin  dd2  =- 


1  ,2*  1 


[— ml  cos  Ox +— ml  6  —  mgl sin 6=  —f 


Lja+RJa+^-x  =  Va 
r 


*  =  -£  -\ml*(fc+C,)  +  \mlcose(fp+C2) 
6>=±  jmJcos0(fe+Cl)-Af(fp+C2) 


/c  =  sgn^A,®  Cj'll+5xi, 

—  /r„Jm 

M  =m  +  M+— LJH-, 

K  Bm  K  K.  ! 

C,  = - - — x - - — Ia - m/sin  692 , 


fe  =  &gn(0)Aee~CeW  +Bgd 

D  =  —Mml2  — — m2l 2  cos2  6 
3  4 

C2  =  — — mgl  sm  6 


6 


CMU/SEI-99-TR-023 


3  Feedback  Control  Design  and 
Implementation 


The  overall  control  software  consists  of  three  different  controllers.  Experimental  Controller 
(EC),  Baseline  Controller  (BC),  and  Safety  Controller  (SC).  A  controller  is  a  software  mod¬ 
ule  that  implements  a  control  algorithm  to  compute  control  commands.  Different  control  al¬ 
gorithms  are  implemented  in  EC,  BC  and  SC,  and  they  are  designed  based  on  the  concept  of 
analytical  redundancy.  In  the  Simplex,  the  active  controller  is  the  controller  whose  control 
command  is  actually  chosen  to  be  sent  to  the  physical  system,  and  the  application  controllers 
refer  to  the  control  processes  that  are  replaceable  (e.g.,  the  baseline  controller  and  the  ex¬ 
perimental  controller).  For  a  detailed  description  of  the  Simplex  and  its  structure  in  control 
systems,  see  Seto  [Seto  98].  In  this  section,  we  discuss  the  design  and  implementation  of  the 
analytically  redundant  controllers. 

Definition  1:  Control  algorithms  are  analytically  redundant  with  respect  to  a  requirement  R 
if  they  generate  control  commands  satisfying  requirement  R. 

To  apply  Definition  3.1  to  the  design  of  EC,  BC  and  SC,  we  need  first  to  discuss  the  require¬ 
ment  that  the  control  algorithms  have  to  satisfy.  Apparently,  such  a  requirement  is  related  to 
the  control  objective  of  the  system.  As  we  stated  in  the  Introduction,  the  inverted  pendulum  is 
expected  to  be  controlled  to  move  from  one  track  position  to  another  while  the  pendulum  is 
kept  standing  still  at  the  upright  position.  Clearly,  it  is  possible  to  try  to  stabilize  the  system  at 
a  new  track  position  from  anywhere  on  the  track,  but  this  scheme  may  lead  to  a  failure  of  the 
system,  such  as  the  pendulum  falling  down  or  the  cart  running  off  the  track  as  there  are  limi¬ 
tations  on  input  voltage,  track  length,  and  cart  velocity.  To  avoid  such  failures,  we  try  to  sta¬ 
bilize  the  system  at  a  nearby  track  position  and  update  the  position  towards  the  desired  posi¬ 
tion  periodically  and  at  a  predefined  rate.  The  desired  track  position  is  referred  to  as  a  target 
and  the  generated  nearby  track  positions  are  called  set  points.  The  set  point  generation  can  be 
done  as  part  of  the  control  algorithm,  or  be  computed  separately  in  a  higher  level  control 
loop.  It  is  the  latter  approach  that  we  adopt  in  this  report,  which  allows  separation  of  con¬ 
cerns.  In  this  multi-level  control  architecture,  the  lower  level  control  will  focus  on  stabilizing 
the  system  at  a  given  set  point,  while  the  higher  level  control  takes  responsibility  for  gener¬ 
ating  proper  set  points  which  lead  the  physical  system  to  the  target.  Let  xs  and  x,  be  a  set  point 
and  a  target  respectively.  Then  the  control  objectives  for  lower  level  controllers  EC,  BC  and 
SC  can  be  stated  as  Stabilizing  the  system  in  Eq.  (4)  at  [x,x,6,6,l a\  =  [xs ,0,0, 0,0]  subject  to 
the  constraints: 
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jc|<0.7,  |jc|  <1.0,  |^|  <30°,  \Va  |  <  4.96  (5) 


and  the  control  objective  for  the  higher  level  control:  Update  the  set  point  xs  every  T  seconds 
with  the  change  vT  until  the  generated  set  point  reaches  the  target ,  i.e., 

while  ( \xs  -  x,  |  >  |v7| )  (( k  + 1)7)  =  xs  ( kT )  +  v7 

if  (|*,-*,|<|v7|)  xs ((k  + 1)7)  =  x, 

Where  7  is  the  sampling  period  of  higher  level  control  and  v  is  the  desired  speed  of  the  cart. 

Remark  1:  The  control  objective  for  higher  level  control  can  be  considered  as  a  trajectory 
generation  for  the  cart.  Namely,  it  generates  a  reference  trajectory  on  track  position  for  the 
system  to  follow.  In  this  report,  the  reference  trajectory  is  a  linear  function  of  time.  It  is  not, 
however,  the  only  possible  reference. 

With  the  control  objective  defined  above,  the  lower  level  controllers  EC,  BC,  and  SC  are  said 
to  be  analytically  redundant,  with  respect  to  stabilizing  the  physical  system  at  a  given  set 
point,  if  all  of  them  will  stabilize  the  physical  system  at  that  set  point.  This  definition  implies 
that  the  control  commands  generated  by  EC,  BC  and  SC  could  be  different,  but  each  one  of 
them  will  stabilize  the  physical  system  at  the  given  set  point.  Because  of  the  constraints  on 
state  and  control,  the  state  space  of  the  physical  system,  [x,x ,0,6] ,  is  divided  to  two  exclu¬ 
sive  regions,  feasible  region  and  unfeasible  region.  The  feasible  region  is  defined  as  a  set  that 
contains  all  the  states  of  the  physical  system,  satisfying  all  the  state  constraints.  Apparently, 
any  stability  region  of  the  physical  system  has  to  be  a  subset  of  the  feasible  region.  To  take 
into  account  the  constraints,  we  modify  the  definition  of  analytically  redundant  controllers  as: 
the  lower  level  controllers  EC,  BC  and  SC  are  said  analytically  redundant  with  respect  to 
maintaining  stability  of  the  physical  system  in  a  given  region  if  each  one  of  the  controllers 
will  asymptotically  stabilize  the  physical  system  inside  the  given  region.  In  this  revised  defi¬ 
nition,  we  do  not  require  the  stability  of  the  system  to  be  guaranteed  at  a  common  set  point. 

In  fact,  we  say  two  controllers  are  analytically  redundant  if  they  both  generate  control  com¬ 
mands  within  the  control  limits  to  asymptotically  stabilize  the  physical  system  at  some  set 
point,  which  may  not  be  the  same,  without  violating  the  state  constraints.  We  will  require  as¬ 
ymptotic  stability  to  guarantee  effective  control  of  the  cart  position.  While  all  the  analytically 
redundant  controllers  will  asymptotically  stabilize  the  physical  system,  they  may  result  in 
different  system  performance  and  stability  region.  In  the  rest  of  this  section,  we  will  investi¬ 
gate  these  differences  and  propose  a  design  principle  for  the  controllers. 

3.1  Controller  Design  and  System  Performance 

It  is  difficult,  if  not  impossible,  to  design  stabilization  control  algorithms  and  identify  the  cor¬ 
responding  stability  regions  for  the  nonlinear  system  in  Eq.  (4).  Since  our  interest  is  to  con¬ 
trol  the  system  in  a  neighborhood  of  an  equilibrium  state,  it  is  reasonable  to  consider  the  line¬ 
arization  of  the  system  at  the  equilibrium.  In  addition,  since  the  variable  Ia  is  not  measurable. 
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and  the  inductance  is  relatively  small  ( La  =  0.00018  Herry),  we  reduce  the  order  of  the  system 
by  setting  La  =  0.  This  leads  to 


/„  =- 


KgKb  .  1 


rR„ 


x  +—V 
R  a 


and 


D 


6  =  - 
D 


-  ml2  (B, Va  -  fc  -  C, )  +  i  ml  cos  6{fp  +  C2 ) 
- |m/ cos 6(B,Va  -  fc  -  C, )  -  M(fp  +  C2 ) 


where 


5 


K]K,Kb 

r2R„ 


= — - — C,  =  Bx — ml  sin##2,  C,  = — mgl  sin# 
r/?„  1  2  2 


Furthermore,  we  drop  the  static  friction  terms  by  letting  Ax  =  Ag  =  0  .  Then  the  linearized 
system  at  [x,  ,0,0,0]  with  the  set  point  is  given  by 
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=  AX+BVa 


(6) 
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Design  of  the  controllers  EC,  BC  and  SC  will  be  based  on  the  linearized  model  in  Eq.  (6).  In 
this  report,  we  will  concentrate  on  linear  state  feedback  control  in  the  form  V a  =  KX  ,  al¬ 
though  other  control  synthesis  may  also  be  possible,  especially  for  EC.  To  determine  the 
control  gain  K,  we  solve  the  linear  quadratic  regulator  (LQR)  problem:  find  a  control  Va  such 

that  the  quadratic  cost  function  J(Va )  =  £° (XT DX  +  RV*)dt  is  minimized,  where  D  is  a 
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4x4  symmetric  and  positive  definite  matrix  and  R  is  positive.  The  solution  to  this  problem  is 
given  by  a  state  feedback  control  law. 

Va=-R~'BTSX  (7) 

where  S  is  the  solution  of  the  Riccati  equation  ATS  +  SA-  SBR~lBT S  +  D  -  0  .  It  can  be 
shown  that,  for  each  pair  of  D  and  R,  there  exists  a  unique  solution  S  to  the  Riccati  equation 
and  a  control  law  in  Eq.  (7)  that  asymptotically  stabilizes  the  system  in  Eq.  (6)  at  X  =  0 . 

By  varying  matrix  D  and  scalar  R,  the  control  gain  obtained  from  them  can  be  different,  but 
all  the  resulting  control  algorithms  will  asymptotically  stabilize  the  system  at  X  =  0.  The  per¬ 
formance  of  the  closed-loop  system,  however,  may  not  be  the  same.  For  the  inverted  pendu¬ 
lum,  we  are  interested  in  how  good  the  controller  is  in  terms  of  controlling  the  physical  sys¬ 
tem  to  a  set  point  and  maintaining  its  stability  there.  Such  a  performance  requirement  is 
evaluated  by  the  measures  defined  in  Appendix  Al.  Namely,  we  will  take  a  look  at  the  over¬ 
shoot,  settling  time  and  maximum  deviation  associated  with  the  cart  position,  the  settling 
time  on  quadratic  state  error,  and  the  steady-state  value  of  the  accumulated  quadratic  state 
error.  The  following  example  illustrates  the  difference  in  performance  caused  by  different 
controllers. 


Time  (seconds)  Time  (seconds)  Time  (seconds) 


Solid  Lines:  results  by  Vui;  Dotted  lines:  results  by  Vfl2 

Figure  4:  Simulation  Result 
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val 

vfl2 

Settling  time  (seconds) 

7.66 

15.76 

Overshoot  (meters) 

0.0 

0.0 

Maximum  derivation  (meters) 

0.36 

0.36 

Settling  time  on  quadratic  state  error  (seconds) 

3.52 

6.08 

Steady-state  value  of  the  accumulated  quadratic  state  error 

0.40 

0.48 

Table  1:  Performance  Measures  of  the  Closed-Loop  System  with  Va1  and  Va2 

Example  1:  Linearized  model  of  the  inverted  pendulum  control  system  in  Eq.  (6),  we  design 
the  stabilization  control  laws  as  in  Eq.  (7)  by  choosing  two  Rs:  R  =  0.01  and  R-O.l,  and  the 
same  D=diag(l,  1,1,1).  We  will  show  that  the  control  laws  obtained  from  these  different  Rs 
will  cause  different  system  performance.  By  running  the  Matlab,  the  LQR  problem  is  solved 
with  the  control  gains: 


Kx  =  [10.0,  27.72, 103.36,  23.04]  for R  =  0.01 
K2  =  [3.16, 19.85,  69.92, 14.38]  for  R  =  0.1 

Suppose  the  initial  condition  is  chosen  as  X0  =  [0.05, 0.3 1, 3 .2  * /r  / 1 80, 0] .  Simulating  the 
dynamics  of  the  closed-loop  system  with  control  Val  -  K{X  and  Va2  =  K2X,  we  obtain  the  re¬ 
sults  summarized  in  Figure  4  and  Table  1.  From  the  performance  measures,  we  conclude  that 
the  control  Val  results  in  a  better  performance  than  Va2 ,  while  both  controllers  will  stabilize 

the  system  at  the  equilibrium  as  indicated  in  Figure  4. 

3.2  Stability  Regions 

While  all  the  analytically  redundant  controllers  stabilize  the  physical  system  at  X  -  0 ,  they 
may  result  in  different  stability  regions  in  addition  to  different  system  performance.  It  can  be 
shown  that  the  closed-loop  system  performance  and  the  stability  region  are  negatively  re¬ 
lated,  i.e.,  the  better  performance  of  the  closed-loop  system  performance  is,  the  smaller  the 
stability  region  will  be.  Generic  analysis  on  such  relation  will  be  reported  elsewhere,  and  in 
this  report,  we  will  demonstrate  them  with  the  inverted  pendulum  control  system. 

We  first  derive  the  safety  region  for  a  given  controller.  A  stability  region  of  the  system  in  Eq. 
(6)  under  the  control  defined  in  Eq.  (7)  is  a  region  in  the  state  space  of  the  physical  system, 
from  which  the  controller  is  able  to  asymptotically  stabilize  the  physical  system  at  X  =  0 
without  violating  any  state  or  control  constraints.  We  will  focus  on  the  stability  regions  de¬ 
scribed  by  a  class  of  quadratic  Lyapunov  functions.  Consider  the  constraints  given  by  (5)  in 
X-coordinate: 


-0J-xs<Xi<0J-xs,  |x2|<1.0,  |x3|<30°,  |XX|<4.96 
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Obviously,  the  constraint  on  the  cart  position  described  above  will  be  as  the  set  point  varies. 
Since  the  stability  region  is  defined  with  respect  to  the  equilibrium  at  a  set  point  and  is  com¬ 
puted  off-line,  we  would  like  the  constraint  on  the  cart  position  to  be  set  with  respective  to 
the  moving  set  point,  i.e.,  xx  =  x-xs  to  be  a  constant.  Since  the  total  track  range  is  [-0.7, 

0.7],  and  the  eligible  set  point  range  is  [-0.5,  0.5],  we  restrict  the  cart  motion  in  the  range  of 
[-0.2,  0.2]  from  any  given  set  point,  i.e.,  |jcj  |  <  0.2 .  For  the  angle  constraint,  the  current  speci¬ 
fication  is  too  large,  given  that  all  the  nonlinearities  have  been  ignored  in  the  linearized 
model.  Hence  we  reduce  the  angle  range  by  half.  Then  a  revised  feasible  region  T of  the 
physical  system  is  described  by 

r  =  {*|  Ijcj  l< 0.2, 1 *2 1<  1 .0,  l*j  l<  15° ,  I KX  l< 4.96} 

and  a  stability  region  S  of  the  system  in  Eq.  (7)  with  a  given  controller  Va=  KX  is: 

s={x|x7'px <1,  P>0,  ArP  +  PA<o}  c  r 


Apparently,  such  a  defined  stability  region  is  not  unique  for  any  given  controller.  To  make  a 
comparison  on  the  stability  regions  between  controllers,  we  consider  the  largest  stability  re¬ 
gion  as  defined  in  Appendix  A2.  In  particular,  we  first  derive  the  largest  stability  region  for  a 
given  controller,  and  then  search  the  control  gain  K  such  that  the  resulting  closed-loop  system 
will  have  the  largest  stability  region.  The  former  is  the  case  when  K  is  known  and  the  latter 
corresponds  the  case  that  K  is  known,  which  are  both  discussed  in  Appendix  A2. 

Case  1 .  K  is  given 

In  this  case,  our  objective  is  to  identify  the  largest  stability  region  inside  the  feasible  region 
T  for  a  given  controller.  The  control  gain  has  been  obtained  with  other  consideration,  for  in¬ 
stance,  they  could  be  chosen  to  satisfy  some  particular  performance  specifications.  To  find 
the  largest  stability  region,  we  follow  the  procedure  described  in  Appendix  A2  and  formulate 
the  following  LMI  problem  to  determine  matrix  Q  =  P-1 : 

minimize  log  det  Q -1 
subject  to  QAt  +  AQ  <  0 ,  Q  >  0 
aTkQak  <1,  k  = 

where 

ai  =[5,0,0,0]r,  a3  =[0,1,0,  Of ,  a5  =[0,0, 3.82,  Of,  a7  =K/4.95, 

a2  =[-5,0,0,  Of,  a4  =  [0,-l,0,0]T,  a6  =  [0,0,- 3.82, 0]r,  as=-K/ 4.95. 

This  LMI  problem  is  solved  by  the  algorithm  developed  in  Vandenberghe  [Vandenberghe  98], 
and  the  resulting  stability  region,  projected  to  xx~x2  phase  plan  with  x3=x4=0  and  x3~x4 
phase  plane  with  xx  =  x2  =  0 ,  are  shown  in  Figure  5. 
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xl  with  K2  (meter)  x3  with  K2  (deg) 


Solid  Lines:  the  boundary  of  the  stability  region; 

Dashed  Lines:  the  state  constraints; 

Dotted  Lines:  the  constraints  due  to  control  limitation 

Figure  5:  The  Largest  Stability  Region 

(with  Ki  and  K2  projected  to  x,  ~x2  phase  plan  and  x3~x4  phase  plane) 

Case  2.  K  is  unknown 

In  this  case,  we  will  find  the  best  K,  among  all  possible  Ks  which  render  the  physical  system 
asymptotically  stable,  such  that  the  corresponding  controller  will  result  in  the  largest  stability 
region  described  by  a  quadratic  Lyapunov  function  in  the  feasible  region.  Then  the  matrix 
Q  =  P~l  can  be  determined  by  solving  the  following  LMI  problem: 


hx  =1/4.95, 
b2  =-1/4.95. 

This  problem  again  can  be  solved  by  the  algorithm  presented  in  [Vandenberghe  98].  The  re¬ 
sulting  stability  region,  projected  to  x\~x2  phase  plan  with  x3  =  x4  =  0  and  x2~x4  phase  plane 


minimize  log  det  <2 

subject  to  QAt  +  AQ  +  ZTBT  +  BZ  <  0,  Q>0 
a[Qak  <1,  k  =  1,...,6 


where 


>0,  ;=1,2, 


a,  =[5,0,0, Of,  a3=  [0,1,0, Of,  a5  =  [0,0,3.82,,  Of, 

a,  =[-5,0,0, Of,  a4=  [0-1,0, Of,  a6  =  [0,0, -3.82,  Of, 
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with  *,  =  x2  =  0 ,  are  shown  in  Figure  6.  By  solving  K  from  equation  Z  =  KQ,  we  obtain  the 
control  gain  K  =  [7.6,13.54,42.85,  8.25] . 


Cart  position  (meter)  Pendulum  angle  (deg) 

Solid  Lines:  the  boundary  of  the  stability  region; 

Dashed  Lines:  the  state  constraints; 

Dotted  Lines:  the  constraints  due  to  control  limitation 

Figure  6:  The  Largest  Stability  Region 

(with  K  variable,  projected  on  x,~x2  phase  plan  and  x3~x4  phase  plane) 

Finally,  we  conclude  the  controller  design  by  comparing  the  performances  and  stability  re¬ 
gions  that  different  controllers  result  in.  It  is  these  differences  that  make  the  concept  of  ana¬ 
lytic  redundancy  applicable.  In  all  the  cases,  we  have  the  control  algorithm  defined  as  a  linear 
state  feedback  control  in  Eq.  (7),  but  with  the  following  control  gains: 

K}  =[10.0,  27.72,  103.36,  23.04] 

*2  =[3.16,  19.85,  69.92,  14.38] 

K3=[7.6,  13.54,  42.85,  8.25] 

As  discussed  before,  the  controllers  with  K\  and  K2  will  yield  different  performance,  while 
the  controller  with  K3  will  result  in  the  largest  stability.  Since  the  control  gain  K3  is  derived 
independent  of  the  LQR  approach,  it  will  be  inappropriate  to  consider  its  measures  on  quad¬ 
ratic  state  error  used  in  LQR  approach.  Therefore,  we  compare  the  settling  time  and  the  en¬ 
ergy.  Figure  7  shows  the  performance  measures  of  the  closed-loop  system;  Figure  8  depicts 
the  stability  regions  rendered  by  these  controllers,  and  Table  2  summarizes  the  comparison. 
The  stability  regions  are  projected  to  x\~x2  phase  plan  with  jc3  =  x4  =  0  and  x3~x4  phase 

plane  with  xx  =  x2  =  0 ,  respectively. 
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Track  Position  (meters) 


Time  (seconds) 


Time  (seconds) 


Dashed  Lines:  results  corresponding  to  control  KiX; 
Dotted  Lines:  obtained  with  K2X; 

Solid  Lines:  generated  by  K3X 

Figure  7:  Performance  Under  Three  Controllers 


xt  -  x2  plot 


x3  -  x4  plot 


-0.1  0  0.1 
Cart  position  (meter) 


-5  0  5 

Pendulum  angle  (deg) 


Dashed  Lines:  the  results  corresponding  to  control  K^X 
Dotted  lines:  obtained  with  K2X 
Solid  lines:  generated  by  K2X 

Figure  8:  The  Largest  Stability  Regions 

(projected  to  x1~x2  phase  plan  and  x3~x4  phase  plane) 
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K{X 

k2x 

K,X 

Settling  time  (seconds) 

7.66 

15.76 

8.44 

Overshoot  (meters) 

0.0 

0.0 

-0.152 

Maximum  derivation  (meters) 

0.36 

0.36 

0.37 

Settling  time  on  energy  (seconds) 

2.92 

2.86 

4.64 

Measure  of  the  size  of  stability  region,  ( ^/det  Q ) 

0.0078 

0.0144 

0.0279 

Table  2:  Summary  of  the  Comparison  on  Performance  and  Stability  Region  of  Three 
Different  Controllers 

The  above  comparison  shows  that  the  controller  with  K3  does  give  the  largest  stability  region, 
but  has  the  worst  performance  among  all  three  controllers.  On  the  other  hand,  the  controller 
with  gain  K\  yields  a  smallest  safety  region  but  has  a  much  better  performance.  All  three 
controllers  are  analytically  redundant  with  respect  to  stabilizing  the  inverted  pendulum  at  the 
equilibrium  X  =  0.  Then  the  principle  of  controller  design  can  be  stated  as:  the  control  gain 
associated  with  a  larger  stability  region  should  be  used  to  construct  a  safety  controller,  while 
the  control  gain  corresponding  to  better  performance  ought  to  be  adopted  for  the  baseline 
controller  and  the  experimental  controller. 

3.3  Controller  Implementation 

In  the  inverted  pendulum  control  system,  the  control  algorithm  for  all  the  analytically  redun¬ 
dant  controllers  are  the  same,  namely,  linear  state  feedback  control  u  =  KX  but  with  differ¬ 
ent  control  gains.  These  control  gains  are  determined  from  solving  LQR  problems  with  the 
objective  that  the  system  performance  under  the  baseline  controller  and  the  experimental 
controller  will  be  satisfactory  with  respect  to  some  performance  specification,  while  the 
safety  controller  will  offer  the  largest  stability  region  among  all  these  controllers.  It  is  worth 
noting  that  the  model  that  we  use  to  compute  the  control  gains  is  only  an  approximation  of 
the  real  system,  in  which  we  have  ignored  all  the  nonlinearities,  static  frictions,  motor  dy¬ 
namics,  and  other  the  uncertainties  on  dynamics  and  parameters.  Therefore,  the  resulting 
control  gains  are  expected  to  be  off  from  the  gains  that  should  be  actually  used,  and  it  is  im¬ 
portant  to  adjust  them  in  experiments.  Let  Kb,Ke  and  Ks  be  the  control  gains  for  the  base¬ 
line  controller,  the  experimental  controller  and  the  safety  controller,  respectively.  The  fol¬ 
lowing  gains  have  been  used  for  one  inverted  pendulum  control  system 


Kb  =  [10.0,  36.0,  140.0,  14];  Ke=  [8.0,  32.0,  120, 12];  Ks=  [6.0,  20.0,  60.0,  16.0] 


These  controllers  are  implemented  with  a  sampling  frequency  50  Hertz. 

In  addition  to  model  imprecision,  the  measurements  of  the  track  position  and  the  pendulum 
angle  are  noisy  are  well.  Since  these  are  the  only  states  can  be  measured  from  the  physical 
system,  the  cart  velocity  and  the  pendulum  angular  velocity  have  to  be  constructed  separately. 
Therefore,  how  to  filter  the  measured  data  and  construct  the  unknown  states  affect  directly 


16 


CMU/SEI-99-TR-023 


the  precision  of  the  states  that  are  used  to  compute  the  control  command.  From  Figure  9,  it  is 
clear  that  the  measurement  noises1  are  above  5HZ.  Hence  a  first-order  digital  Butterworth 
lowpass  filter  with  cut-off  frequency  5 HZ  is  used.  To  construct  the  velocities,  we  apply  the 
first  order  approximation,  namely 

x(t)  =  [x(t)-x(t-T)]IT  and  0(f)  =  [B(t)-0(jt-T)]/T 

with  T  the  sampling  period.  Although  the  position  data  in  above  construction  are  the  results 
after  filtering,  they  may  still  contain  certain  amount  of  noise.  When  the  remaining  noises  are 
still  relatively  large,  we  extend  the  first  order  approximation  over  more  periods  to  raise  the 
signal-to-noise  ratio.  In  those  cases,  we  would  have 

x(t)  =  [x(t)-x(t-mT)]/mT  and  0(t)  =  [6(t)-d(t-mT)]/mT 


where  m  is  an  integer  greater  that  one.  Our  experiments  showed  that,  with  m  =  2,  the  con¬ 
structed  velocities  are  much  more  clean  than  the  case  when  m  =  1,  but  they  suffer  further  de¬ 
lay.  Therefore,  the  trade-off  between  clean  velocity  and  the  delay  need  to  be  carefully  consid¬ 
ered.  For  alternatives  of  velocity  construction,  one  may  consider  using  Kalman  filter  which 
eliminates  the  delay  in  data  filtering  and  generates  accurate  velocity  estimates  simultane¬ 
ously. 


Measurement  Noise  on  Track  Position 


10 

Time  (seconds) 


CL 


S'  100  5  10  15  20 

2-  Time  (seconds) 


Figure  9:  Measurement  Noises  of  Track  Position  and  Pendulum 


Another  practical  issue  in  control  implementation  is  delay.  As  we  discussed  in  Appendix  A4, 
a  digital  filter  will  cause  delay.  In  fact,  the  lowpass  digital  filter  that  we  used  will  cause  1-2 
sampling  periods  delay.  We  will  call  such  delay  as  filtering  delay.  While  the  effect  of  these 
delays  can  be  compensated  by  adjusting  the  control  gains  in  the  control  law,  such  delay  will 
have  a  significant  effect  on  safety  checking  of  the  system,  as  described  in  a  later  section.  In 
addition  to  the  filtering  delay,  the  control  implementation  also  causes  one  period  delay.  Spe- 


1  The  noises  shown  are  the  difference  between  the  physical  measurements  and  the  clean  data.  The 
clean  data  is  obtained  by  filtering  the  raw  data  forwards  and  backwards  using  a  high  order  lowpass 
filter,  e.g.,  10*  order.  While  such  filtering  gives  noiseless  data  with  no  delay,  it  can  only  be  done  off- 
line. 
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cifically,  at  each  sample,  the  measured  data  is  acquired  and  the  computed  control  command  is 
sent  out.  During  one  sampling  period,  for  example,  in  (r0,  t0+T ),  the  control  command 
u(t0  +T )  is  computed  based  on  the  state  sampled  at  time  t0 ,  x(t0) .  This  control  will  not  be 
sent  out  to  the  physical  system  until  the  end  of  the  period,  i.e.,  t0+T  . 

At  time  t0+T,  however,  the  state  of  the  system  has  been  evolved  to  x(t0  +  T) .  Therefore, 
the  control  command  will  always  act  on  the  state  that  is  one  period  later  than  the  state  from 
which  the  command  was  computed.  We  refer  such  type  of  delay  as  digital  implementation 
delay.  One  may  argue  that  the  control  command  should  be  sent  out  right  after  it  is  computed, 
given  that  the  computation  of  control  command  could  be  very  short.  While  this  arrangement 
can  reduce  the  implementation  delay,  it  may  cause  jittering  and  makes  the  scheduling  of  con¬ 
trol  tasks  difficult  if  there  are  multiple  tasks  executing  in  a  uniprocessor.  We  intentionally 
choose  the  implementation  with  one  period  delay  to  avoid  jittering  and  to  ease  the  schedula- 
bility  analysis. 

Both  the  filter  delay  and  the  digital  implementation  delay  can  be  compensated  by  the  model- 
based  state  projection,  i.e.,  projecting  state  by  solving  the  system  equations.  See  Appendix  A3 

for  detailed  computation.  Let  F  =  eAT  ,G  =  ^  eArdz .  Then  the  compensation  of  these  delays 
in  period  (t0,t0  +T)c an  be  described  as  below. 

Filtering  delay  compensation 


Suppose  there  is  one  period  filtering  delay.  Upon  receiving  the  measurements  from  the  physi¬ 
cal  system  t0 ,  we  feed  the  data  to  the  lowpass  filter.  Then  the  filtered  data  can  be  considered 

as  the  true  (noiseless)  track  position  and  pendulum  angle  at  the  previous  sample,  i.e., 

[x(t0  -  T ),  6(t0  - T )]  .  Constructing  the  velocities  based  on  the  filtered  data,  we  obtain  the 
full  states  at  t0  -T ,  X(t0  -  T).  Since  the  control  command  u(t0  - T )  was  output  to  the 
physical  system  at  t0  -T  and  it  acted  on  the  state  X (t0  -T) ,  the  full  state  at  time  t0  can  be 
projected  as: 


X(t0)  =  FX(t0-T)  +  Gu(t0-T) 

Figure  10  illustrates  the  filtering  delay  compensation  by  plotting  the  physical  track  position 
measured,  filtered  and  projected,  respectively,  as  the  system  is  traveling  from  *=0  to  *=0.25. 
We  can  see  clearly  from  the  enlarged  portion,  that  the  filtered  data  is  delayed  comparing  to 
the  raw  measurement  and  the  projected  data  compensates  the  delay. 
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Solid  Lines:  plot  of  the  track  position  with  the  raw  measurement 
Dashed  Lines:  the  filtered  data 
Dotted  Lines:  the  projected  data 

Figure  10:  Track  Position  with  Raw  Measurement,  Filtered  Data,  and  Projected  Data 

Digital  implementation  delay  compensation 

The  control  command  u(t0 )  has  been  sent  out  to  the  physical  system  at  time  t0 .  The  noise¬ 
less  state  of  the  physical  system  at  t0  is  obtained  from  the  compensation  of  the  filtering  de¬ 
lay.  Then  to  find  out  at  what  state  that  the  control  command  u(t0  +  T )  will  start  influencing 
the  physical  system,  namely,  what  state  that  the  physical  system  will  be  at  the  time  t0+T 
under  the  control  u(t0) ,  we  project  from  X(t0)  for  one  more  period: 


X  (t0  +T)  =  FX  (t0)  +  Gu(t0 ) 


This  is  the  state  at  which  the  physical  system  will  response  to  the  control  command 

u(t0  +  T) .  Then  we  compute  u(t0  +  T)  from  the  projected  state  X (t0  +  T ) .  While  the  digital 

implementation  delay  can  be  dealt  with  by  model-based  state  projection,  it  is  actually  com¬ 
pensated  for  by  adjusting  the  control  gains  properly  in  the  experiments  because  the  state 
feedback  control  is  reasonably  robust  with  respect  to  small  delay.  State  projection  will  com¬ 
pensate  for  it  in  state  safety  checking  discussed  later. 
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4  Design  of  Control  Switching  Logic 


The  control  switching  logic  in  the  Simplex  is  designed  to  tolerate  timing  faults  and  semantic 
faults.  It  governs  the  selection  of  the  active  controller  such  that  the  safety  controller  will  be 
chosen  if  a  fault  is  detected,  and  the  baseline  controller  will  be  in  charge  once  the  system  is 
recovered  from  a  faulty  situation.  To  detect  a  timing  fault,  it  is  simply  to  check  if  the  applica¬ 
tion  controllers  have  missed  their  deadlines.  For  semantic  fault,  however,  the  detection  is 
more  involved.  In  the  follows,  we  will  first  discuss  an  abstraction  of  the  continuous  dynamics 
of  the  physical  system  for  semantic  fault  detection,  and  then  design  the  control  switching 
logic. 

4.1  Safety  Region  and  Safety  of  the  Physical  System 

The  analytically  redundant  controllers  in  the  Simplex  architecture  will  result  in  different  sta¬ 
bility  regions.  By  evaluating  the  state  of  the  physical  system  relative  to  the  stability  regions, 
control  switches  can  be  executed  to  tolerate  the  semantic  faults.  In  particular,  the  safety  con¬ 
troller  is  designed  to  provide  safety  protection,  and  therefore,  the  stability  region  of  the  safety 
controller  is  of  special  importance.  In  this  section,  we  define  the  notion  of  the  safety  region 
and  the  safety  criterion  of  the  physical  system,  which  will  be  used  for  the  design  of  control 
switching. 

A  semantic  fault  is  detected  based  on  the  behavior  of  the  physical  system.  To  abstract  the 
continuous  dynamics  of  the  system,  we  define  the  safety  region  as  the  following:  The  safety 
region  with  respect  to  the  safety  controller  us  is  defined  as  the  largest  stability  region  of  the 
physical  system  under  the  control  of  us.  Let  Ps  be  the  positive  definite  matrix  which  renders 
the  stability  region  of  the  system  to  the  largest.  Then  the  safety  region  SR  is  given  by 
SR  =  {x \XTPSX  <  l}.  A  state  X0  is  inside  SR  if  X0TPSX0  <  1 .  Hence  we  would  like  to  say 
that  the  physical  system  is  safe  if  its  state  is  inside  the  safety  region,  and  for  tolerating  a  se¬ 
mantic  fault,  we  would  design  a  switching  logic  to  invoke  the  safety  controller  whenever  the 
state  of  the  physical  system  is  out  of  the  safety  region.  Such  strategy,  however,  will  not  work. 
By  the  definition  of  stability  region,  it  is  clear  that  the  physical  system  may  not  be  stabilized 
if  it  starts  from  a  state  outside  the  stability  region.  Thus  it  would  be  too  late  for  the  safety 
controller  to  maintain  system  stability  once  the  state  of  the  physical  system  is  out  of  its  sta¬ 
bility  region.  We  refer  this  situation  as  the  safety  region  paradox.  To  fix  this  problem,  we 
need  to  know,  at  time  t0,  if  the  state  of  the  physical  system  at  t0+T  will  be  inside  the  safety 
region.  If  it  is  not,  we  would  like  to  switch  to  the  safety  controller  at  t0.  Given  the  filtering 
delay  and  digital  implementation  delay  in  the  system,  such  a  “look  ahead”  strategy  can  be 
extended  as  the  following.  Suppose  (t0,t0  +T)  is  the  period  that  the  control  switching  logic 
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needs  to  make  a  decision  if  the  safety  controller’s  output  should  be  used.  Let 

z(t)  =  [xm(t),  6  m{t)\  and  [x(t),  6  (r)]be  the  measurements  and  the  noiseless  data  of  the 

track  position  and  the  pendulum  angle,  respectively.  Figure  1 1  shows  the  inputs  from  and 
outputs  to  the  physical  system. 


in:  z(t0  ~T) 
out :  u(t0  -7) 


+ 


in:  z(t0 ) 
out:  u(t0) 

- 1 - 


in :  z(t0  +  7 ) 
out :  u(t0  +  7 ) 


+ 


in :  z(t0  +  2 7) 
out :  u(t0  +  27) 

: - 1 - *  ' 


u(t0)  =  KX(t0-T )  u(t0+T)  =  KX(t0 )  u(t0+2T)  =  KX(t0+T) 


Solid  Lines:  results  by  Val; 
Dotted  Lines:  results  by  Va2 

Figure  11:  Simulation  Result 


Step  1.  Filtering  delay  compensation 

In  this  first  step,  the  measurements  z(t0 )  is  obtained  from  the  physical  system.  Following  the 

compensation  procedure  described  in  last  section,  the  true  state  of  the  physical  system  at  time 
t0  can  be  obtained  from 


X(t0)  =  FX(t0-T)  +  Gu(t0-T) 

Step  2.  Digital  implementation  delay  compensation 

Again,  as  derived  in  last  section,  the  state  from  which  the  physical  system  will  response  to 
the  control  command  u(t0  +7)  is  given  by 

X(t0+T)  =  FX(t0)  +  Gu(t0) 

Step  3.  One  more  period  projection  to  resolve  the  safety  reeion  paradox 

If  the  safety  controller  were  chosen  as  the  active  controller  in  the  time  interval  ( t0  ,/0  +7),  it 
would  affect  the  physical  system  at  t0  +  7  .  Therefore,  the  state  X  (t0  +  7)  can  not  be  used  to 
determine  if  the  safety  controller  should  be  selected  due  to  the  safety  region  paradox.  This 
implies  that  one  more  period  state  projection  is  needed.  If  the  further  projected  state  is  out  of 
the  safety  region,  the  safety  controller  will  be  switched  to  active  and  starts  controlling  the 
physical  system  at  t0  +  T  ,  at  which  the  state  of  the  physical  system  is  still  inside  the  safety 

region. 
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For  this  projection,  we  use  the  control  command  that  is  going  to  be  sent  out  to  the  physical 
system.  Let  such  control  be  u(t0  +  7) .  Then  the  projection  from  X  (f0  +  7)  under  «(r0  +  7) 

is  given  by 


X  (r0  +  27)  =  FX  00  +T)  +  Gu(t0  +  T) 

Then  the  safety  criterion  of  the  physical  system  is  given  as:  the  physical  system  is  safe  the 
state  X ( t0  +  2 T)  is  inside  the  safety  region,  i.e.,  X (t0  +  2 T)t  PsX(t0  +  27)  <  1 ;  otherwise,  it 
is  unsafe.  Let  Pb>  0  be  the  matrix  that  gives  the  largest  stability  region  of  the  physical  sys¬ 
tem  under  the  baseline  control.  We  say  that  the  physical  system  is  ready  for  the  baseline  con¬ 
trol  if  the  state  X  (r0  +  7)  is  inside  the  stability  region  given  by  Ph ,  i.e. 

X  ( t0  +  T)t  Ph  X  (f 0  +7)  <1 ;  otherwise,  it  is  not  ready.  These  are  summarized  in  Figure  12. 


Input  at  f  measurement  Mf0)>  &  (to)] 


Figure  12:  Check  if  the  Physical  System  is  Safe,  and  if  it  is  Ready  for  Baseline 
Control 

4.2  Design  of  Control  Switching  Logic 

The  control  switching  logic  is  designed  based  on  the  detection  of  timing  fault  and  semantic 
fault.  The  former  is  simply  to  check  if  the  application  controllers  have  missed  their  deadlines, 
while  the  latter  is  to  evaluate  the  state  of  the  physical  system  with  respect  to  the  safety  region. 
In  addition  to  the  behavior  of  the  physical  system  and  the  timing  performance  of  the  applica¬ 
tion  controllers,  the  user  interface  provides  a  way  to  manually  affect  the  selection  of  the  ac¬ 
tive  controller  by  changing  the  availability  of  the  application  controllers.  The  state  of  an  ap¬ 
plication  controller  is  defined  as  follows: 
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Enabled 

the  controller  is  running  and  its  output  can  be  chosen  to  be  sent  to  the  physical 
system 

Disabled 

the  controller  is  running  but  its  output  is  disabled 

Terminated 

the  controller  is  destroyed 

When  a  controller  is  destroyed,  all  of  the  resources  it  has  been  allocated  are  released.  For  the 
inverted  pendulum  control  system,  the  following  assumptions  have  been  imposed: 


•  When  an  application  controller  changes  from  being  active  to  inactive  because  of  a  fault  it 
contains,  its  output  will  be  disabled  until  the  user  re-enables  it. 

•  If  both  the  experimental  controller  and  the  baseline  controller  are  running  with  valid 
control  commands,  the  experimental  controller  will  be  selected  as  the  active  controller. 

The  state  transition  of  an  application  controller  depends  on  the  user’s  commands  and  if  the 
controller  changes  from  being  active  to  inactive.  In  particular,  the  events  that  may  cause  a 
change  of  state  of  an  application  controller  can  be  summarized  in  the  set 

{CREATE,  DESTROY,  ENABLE,  DISABLE,  A_TO_NA} 

where  CREATE/DESTROY  and  ENABLE/DISABLE  are  user’s  commands  to  start/terminate 
the  process  in  which  the  controller  is  implemented,  and  to  enable/disable  the  controller’s  out¬ 
put,  respectively.  A_TO_NA  is  the  event  when  the  controller  is  changed  from  being  active  to 
inactive.  A  state  transition  diagram  is  given  in  Figure  13. 


Figure  13:  Application  Controller  State  Transition  Diagram 

By  combining  the  results  of  the  availability  of  the  application  controllers,  timing  performance 
and  the  safety  of  the  physical  system,  the  control  switching  logic  can  be  designed  to  tolerate 
timing  and  semantic  faults.  To  represent  the  availability  of  an  application  controller  and  its 
timing  performance,  we  define  a  Boolean  variable  bc_ready  ( ecjready )  for  the  baseline  con¬ 
troller  (experimental  controller)  as  the  following: 


if  BC  meets  its  deadline  AND  it  is  enabled 

if  EC  meets  its  deadline  AND  it  is  enabled 

bc_ready  =  TRUE 

else 

bcjready  =  FALSE 

ec_ready  =  TRUE 

else 

ecjready  =  FALSE 
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Suppose  a  control  command  with  a  value  out  of  the  allowable  range  (command  invalid)  is 
considered  to  be  caused  by  a  semantic  fault  in  the  controller.  To  describe  the  behavior  of  the 
physical  system  with  relation  to  system  safety  and  recovery  from  a  faulty  situation,  define 
Boolean  variables  safe  and  tojbc  with  the  following  assignments: 


if  control  output  is  valid  AND  the  physical 
system  is  safe 

if  previous  active  controller  is  SC  AND  the  physi¬ 
cal  system  is  ready  for  BC 

safe  =  TRUE 

else 

safe  =  FALSE 

tojbc  =  TRUE 

else 

tojbc  =  FALSE 

Define  the  state  of  the  active  controller  to  be 


{BASELINE,  EXPERIMENTAL,  SAFETY} 


Then  the  state  transition  of  the  active  controller  will  be  determined  by  the  values  of  the  Boo¬ 
lean  variables  bc_ready,  ec_ready,  safe  and  in_bc.  Figure  13  shows  the  state  transitions  of  the 
active  controller  when  the  Boolean  expressions  on  the  transition  arcs  are  TRUE. 


Figure  14:  Active  Controller  State  Transition  Diagram 

We  have  now  completely  established  the  control  switching  logic  to  determine  the  active  con¬ 
troller.  Implementation  of  this  logic  amounts  to  coding  the  state  transition  diagrams  in  Fig¬ 
ures  13  and  14.  To  illustrate  this  control  switching  logic,  we  present  the  following  example. 

Example  2:  Suppose  the  mission  was  to  move  the  inverted  pendulum  from  x  =  -0.4  to  x  = 

0.4.  All  three  controllers  were  running  and  the  experimental  controller  initially  controlled  the 
system.  A  brute-force  bug2  was  coded  in  the  experimental  controller  and  it  triggered  while  the 
inverted  pendulum  was  moving  to  the  target.  Upon  detection  of  the  bug,  the  active  controller 
was  switched  to  the  safety  control,  and  remained  under  safety  control  until  the  physical  sys¬ 
tem  was  ready  for  the  baseline  control.  Here  we  have  used  a  reduced  size  safety  region  as  the 
stability  region  of  the  baseline  controller,  namely,  the  region  given  by  {xiXrP,X  <  0.4}.  To 
further  reduce  the  effect  of  the  noise  on  the  value  of  Lyapunov  function,  we  filtered  the  com¬ 
puted  value  of  the  Lyapunov  function  with  a  high  order  lowpass  filter.  The  result  was  then 

2  An  experimental  controller  with  a  brute-force  generates  the  control  command  with  the  maximum  (or 
minimum)  control  value  allowed  every  sampling  period. 
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used  for  the  recovery  check,  a  check  to  see  if  the  physical  system  would  be  ready  for  the 
baseline  control,  i.e.,  if  the  filtered  value  is  less  than  the  threshold  for  recovery,  0.4.  This  de¬ 
layed  the  switch  to  the  baseline  controller,  but  it  guaranteed  that  the  safety  controller  would 
not  be  switched  back  after  the  baseline  controller  was  chosen  to  be  the  active  controller.3 
Figure  15  shows  the  trajectories  of  the  physical  system,  and  Figure  16  displays  the  results  of 
safety  checking  and  controller  switches.  As  we  can  see  from  the  figures,  the  experimental 
controller  initially  controlled  the  system,  and  it  caused  the  system  to  behave  badly  after  1 1 
seconds.  At  t  =  11.02,  the  value  of  the  Lyapunov  function  jumped  over  1  and  the  bug  was 
detected.  At  the  same  time,  the  safety  controller  was  taking  over  the  control.  After  one  period 
since  the  safety  controller  was  in  charge,  the  value  of  the  Lyapunov  function  dropped  below 
1,  but  the  physical  system  was  not  ready  for  the  baseline  control  yet.  Having  been  controlled 
by  the  safety  controller  for  four  periods,  the  physical  system  became  more  stable,  and  the 
value  of  the  Lyapunov  function  was  reduced  lower  than  0.4.  Hence  at  t  =  11.1,  the  baseline 
controller  was  switched  active,  and  remained  in  control  afterwards. 
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Figure  15:  Illustration  of  Tolerating  a  Fault  Caused  by  a  Brute  Force  Bug 


3  Theoretically,  the  value  of  the  Lyapunov  function  should  decrease  monotonically  under  the  safety 
controller,  but  it  may  not  be  the  case  in  reality  due  to  the  measurement  noise,  the  inaccuracy  in  system 
model  and  the  construction  of  velocities.  As  a  result,  the  value  of  the  Lyapunov  function  can  drop  to  a 
low  level  after  the  safety  controller  takes  over  control,  which  may  trigger  the  switch  to  the  baseline 
controller,  and  then  bounce  back  to  above  1  to  knock  out  the  baseline  controller  again. 
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Lyapunov  Value 


in 

0I _ JT  .  t:  - 1 

0  5  10  15  20 

Times  (seconds) 


(a) 

Value  of  the  Lyapunov 
Function  with  Thresh¬ 
old  1 


(b) 

A  Blowup  Portion  of  the 
Value  of  the  Lyapunov 
Function  1 

Solid  Line:  unfiltered  val¬ 
ues,  used  for  safety  check 
with  threshold  1 ; 
Dotted  Line:  plots  the  fil¬ 
tered  value,  used  for  recov¬ 
ery  check  with  threshold 
0.4 


Times  (seconds) 

(c) 

Safety  of  the  Physical 
System 

Solid  Line:  the  safety  of 
the  physical  system  (1  - 
safe  and  0  -  unsafe); 
Dotted  Line:  the  state  of 
the  active  controller  (1- 
safety  controller,  2- 
baseline  controller,  and 
3  -  experimental  con¬ 
troller) 


Figure  1 6:  Lyapunov  Function  Values 
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5  Conclusions 


In  this  report,  we  described  analytical  approaches  for  designing  analytically  redundant  con¬ 
trollers,  deriving  the  safety  region,  and  establishing  a  control  switching  logic  in  an  inverted 
pendulum  control  system  using  the  Simplex.  While  these  approaches  were  developed  in  asso¬ 
ciation  with  a  particular  control  system,  the  general  analytic  framework  should  be  applicable 
to  other  control  applications  without  much  difficulty. 

Analytic  redundancy  is  the  key  concept  in  the  Simplex  architecture.  Based  on  this  concept, 
the  baseline  controller,  the  experimental  controller,  and  the  safety  controller  were  designed  as 
linear  state  feedback  controls  with  the  common  requirement  of  asymptotically  stabilizing  the 
physical  system  at  an  given  equilibrium  state.  While  all  of  the  controllers  will  achieve  this 
goal,  the  closed-loop  systems  may  have  different  performance  in  terms  of  the  rate  of  conver¬ 
gence  to  the  equilibrium  and  different  stability  regions.  With  certain  well-defined  perform¬ 
ance  measures,  it  can  be  shown  that  the  performance  of  the  closed-loop  system  is  negatively 
related  to  the  size  of  the  corresponding  stability  region.  Namely,  the  better  performance  the 
closed-loop  system  has,  the  smaller  its  stability  region  will  be.  It  is  this  property  that  allows 
us  to  design  the  safety  controller  to  render  a  large  stability  region  although  the  performance  it 
yields  may  not  be  superior,  and  the  application  controllers  to  focus  on  improving  the  per¬ 
formance  while  the  stability  regions  they  result  in  may  be  small.  Such  a  combination  enables 
an  application  controller  to  explore  high  functionality  under  the  protection  of  the  safety  con¬ 
troller. 

The  safety  region  is  defined  as  the  largest  stability  region  rendered  by  the  safety  controller.  It 
is  derived  by  solving  a  LMI  problem  subject  to  stability  requirements  as  well  as  the  state  and 
control  constraints.  Two  cases  were  considered:  1)  derive  the  safety  region  for  a  given  safety 
controller;  and  2)  design  the  safety  controller  such  that  the  resulting  safety  region  is  maxi¬ 
mized.  In  the  latter  case,  the  resulting  stability  region  is  the  largest  one  described  by  a  quad¬ 
ratic  Lyapunov  function  among  all  possible  linear  state  feedback  controllers  that  asymptoti¬ 
cally  stabilize  the  physical  system.  For  testing  in  the  lab,  we  used  the  safety  region  derived 
with  a  given  safety  controller  whose  control  gains  have  been  adjusted  in  the  real  system  for 
an  acceptable  performance. 

The  control  switching  logic  was  designed  to  tolerate  the  timing  and  semantic  faults.  It  was 
established  by  taking  into  account  the  availability  of  the  application  controllers,  the  timing 
performance  of  the  application  controllers,  and  the  safety  of  the  physical  system.  The  key 
step  in  the  logic  design  is  to  correctly  represent  the  state  transition  of  the  application  control¬ 
lers  and  the  state  transition  of  the  active  controller.  While  the  specifications  on  fault  tolerance 
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may  vary  from  application  to  application,  the  basic  structure  of  the  state  transition  diagrams 
will  remain  the  same,  and  design  procedures  can  be  carried  over  cross  applications. 

As  the  analytic  approaches  were  employed  in  the  real  control  system,  there  are  practi¬ 
cal/engineering  issues  need  to  be  addressed.  Many  of  them  have  occurred  in  our  implementa¬ 
tion,  and  we  will  discuss  four  of  them  here.  First,  the  physical  system  needs  to  be  well  cali¬ 
brated.  The  measurements  of  the  track  position  and  the  pendulum  angle  are  obtained  from 
two  potentiometers.  After  the  A/D  converter,  the  signals  from  the  potentiometers  are  con¬ 
verted  to  digital  ticks.  Therefore,  transformations  from  the  ticks  to  the  physical  positions  of 
the  variables  measured  are  needed.  To  derive  such  transformations,  we  manually  move  the 
cart  to  different  locations  on  the  track  and  fix  the  pendulum  at  different  angles,  and  for  each 
of  these  positions,  record  the  tick  readings.  By  applying  least-square  fitting,  we  found  the 
linear  relation  between  the  physical  position  of  the  variable  measured  and  the  ticks  read  as  in 
Figure  17. 


Figure  1 7:  Linear  Transformations  Between  the  Physical  Position  of  the  Variable  and 
the  Ticks 

(cart  position:  0.004365  *  ticks;  angle:  0.0359  *  ticks) 

In  addition  to  identifying  the  transformations,  it  is  important  to  get  the  precise  tick  readings  at 
the  track  center  ( x  =  0 )  and  zero  angle  (9  =  0).  These  two  measures  may  need  to  be  re¬ 
calibrated  from  time  to  time. 

Second,  the  accuracy  of  the  analytic  model  is  important.  As  we  have  seen,  both  the  model- 
based  state  projection  and  the  derivation  of  the  safety  region  are  based  on  the  analytic  model. 
While  the  control  algorithm  is  robust  with  respect  to  imprecision  in  the  model,  model-based 
state  projection  and  the  derived  safety  region  could  suffer  significantly  because  of  impreci¬ 
sion  in  the  estimation  of  the  run  time  system  state  and  the  model  of  the  plant.  The  current 
model  of  the  inverted  pendulum  was  completely  derived  from  mechanical  principles,  and 
some  of  its  parameters  were  adjusted  by  comparing  the  simulation  of  the  model  and  the  re¬ 
sults  obtained  from  running  the  physical  system.  This  guarantees  the  accuracy  of  the  model  in 
a  short  term,  i.e.,  the  matching  results  of  simulation  and  the  physical  system  trajectory  in  a 
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short  time,  say  a  few  periods.  For  state  projection  in  a  longer  time,  we  ought  to  carry  through 
an  extensive  system  identification  procedure.  This  is  certainly  possible  for  a  system  like  the 
inverted  pendulum  whose  linearized  model  well  represents  the  actual  nonlinear  system. 

Third,  the  velocity  construction  plays  an  important  role  in  both  model-based  state  projection 
as  well  as  the  safety  checking.  When  the  state  projection  did  not  give  a  satisfactory  result,  the 
reason  could  be  the  inaccuracy  of  the  model  as  we  discussed  above,  but  it  is  also  possibly  due 
to  the  approximation  of  velocities.  As  the  position  variables  contain  noise,  the  velocity  ap¬ 
proximation  could  be  very  poor.  On  the  other  hand,  since  the  safety  evaluation  of  the  physical 
system  dependents  on  the  calculation  of  a  quadratic  Lyapunov  function,  which  involves  the 
full  states,  the  result  obtained  could  be  off  significantly  if  the  velocity  components  are  poorly 
constructed.  To  resolve  the  velocity  construction  problem,  the  standard  approach  is  to  build 
an  observer,  or  Kalman  filter  if  noise  is  one  of  the  issues  need  to  be  dealt  with.  Again  this  is  a 
model-based  methodology,  and  therefore,  it  would  be  better  to  be  use  it  in  conjunction  with  a 
model  identification  approach,  even  though  Kalman  filter  would  tolerate  a  certain  inaccuracy 
of  the  model.  This  is  one  of  the  subjects  for  further  research. 

Finally,  in  design  of  the  safety  controller,  one  objective  is  to  make  the  corresponding  stability 
region  to  be  as  large  as  possible,  but  his  should  not  be  pushed  too  far.  As  we  discussed  earlier, 
the  larger  the  stability  region  is,  the  poorer  the  performance  will  be  in  the  closed-loop  system. 
In  the  inverted  pendulum  system,  if  the  control  gain  is  chosen  such  that  the  safety  region  is 
too  large,  the  corresponding  safety  controller  would  take  a  longer  time  to  drive  the  physical 
system  to  a  neighborhood  of  the  equilibrium  state  after  it  takes  over  the  control  from  a  faulty 
controller.  Therefore,  in  the  actual  design,  we  need  to  make  a  trade-off  between  the  volume 
gained  and  performance  lost. 

While  the  inverted  pendulum  is  a  prototype  system,  it  certainly  contains  a  lot  of  control  is¬ 
sues.  We  would  like  to  emphasize  that  the  analytic  approaches  developed  to  address  these 
issues  can  be  very  well  extended  to  other  control  applications,  including  large-scale  control 
systems.  On  the  other  hand,  of  course,  there  are  still  some  unsolved  problems  and  they  will 
be  investigated  in  our  future  research. 
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Appendix  A 


A1  Performance  Evaluation 

Consider  a  linear  time-invariant  system  (LTI) 

X  =  AX  +  Bu 


where  X  e  Rn ,ue  Rm ,Ae  Rnxn , B e  Rnxm  .  u  is  the  linear  state  feedback  control  designed  to 
minimize  the  quadratic  cost  J(u )  =  (XT QX  +  uT Ru)dt ,  where  Q  are  R  are  positive  defi¬ 

nite.  Then  the  performance  of  the  closed-loop  system  can  be  evaluated  by  system  transient 
response,  settling  time  on  quadratic  state  error,  steady-state  of  the  accumulated  quadratic  state 
error,  and  settling  time  on  energy,  which  are  defined  as  the  follows. 


Transient  Response  of  A  State  Variable  Let  x(t )  be  the  dynamic  variable  understudy  and  xs  be 

the  set  point  for  x(t)  to  reach.  Then  the  transient  response  of  x(t)  is  measured  by  the  overshoot 
Os ,  the  settling  time  S, ,  and  the  maximum  deviation  Dm,  defined  as  the  follows.  Figure  18 

illustrates  these  measures. 


overshoot  of  x(t): 


1max(jc(0)  -  xs 

,s'° 

{xs  -  minO(r)) 

*5 

when  x(t0 )  =  xs ,  Os  =  max[x(t)  -  xs  | 


if  max(x(0)  >  x, 
otherwise 
if  min(x(t))  <  xs 

ttt 0 


otherwise 


settling  time  of  x(t):  S,  =  tx  - 10  where  is  the  smallest  t  such  that  V/  >  f, 

|x(t)  -xs\<  0.05|x(r0 )  -  xs  |  x(t0 )  *■  xs 

'  |x(r)  -xs\<  0.05  max|x(0  -  xs  \  x(t0 )  =  xs 


maximum  deviation:  D  =max|x(r)-x  I 

fet 0 
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X(t) 


Figure  18:  Measures  for  the  Transient  Response  ofx(t) 

Settling  Time  on  Quadratic  State  Error 

By  quadratic  state  error,  it  is  meant  the  quadratic  term  of  state  variables  in  the  cost  function, 
i.e.,  Ex{t)  =  X 1  (t)QX ( t ) .  Then  the  settling  time  on  quadratic  state  error  is  defined  as  the 
time  t,  -t0  with  t0  being  the  time  when  the  quadratic  state  error  decreases  to  5%  of  E(t0) 
and  stay  within  that  range  for  all  t  >  tx . 

Steady-State  Value  of  the  Accumulated  Quadratic  State  Error 

It  can  be  shown  that  the  quadratic  cost  J(u )  is  bounded  when  the  closed-loop  system  is  as¬ 
ymptotically  stable.  Therefore,  the  steady-state  of  the  accumulated  quadratic  state  error  is 
defined  as 


Ex=  T  XT  (t)QX(t)dt 

J'o 


Settling  Time  on  Energy 

As  described  in  Section  2,  the  total  energy  of  the  inverted  pendulum  system  is  given  by 

E(t)  =— (M  +m)x(t)7  +— ml  cos  6x(t)d(t)+— ml2 6(t)2  +—mglcosd(t) 

2  2  6  2 

For  an  asymptotically  stable  closed-loop  system,  the  total  energy  of  the  system  will  tend  to 
the  constant  value  Ee  =\mgl ,  which  is  the  potential  energy  of  the  system  when  the  pendu¬ 
lum  is  at  the  upright  position.  Then  the  settling  time  on  energy  is  defined  as  Ste  =  tu  - 10 
where  tu  is  the  smallest  t  such  that  Vr  >  tu 
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]E(t)-Ee\<O.05\E(to)-Ee\  E(t0 )  *  Ee 
'  |E(r)  -Ee |  <  0.05  max|£(0  -  Ee \  E(t0 )  =  Ee 

t>t0 

A2  Stability  Region  of  Linear  Control  Systems  with 
Linear  Constraints 

The  stability  region  of  a  linear  control  system  will  be  restricted  by  the  constraints  imposed  to 
the  system.  The  system  can  only  evolve  in  the  feasible  region  in  the  state  space,  where  no 
constraints  will  be  violated.  Thus,  a  stability  region  has  to  be  a  subset  of  the  feasible  region. 
Consider  a  linear  control  system: 

X  =  AX  +Bu  with  constraints:  aTkX  <1,  k  =1  and  £>Jn<l,  j  =  l,...,r , 

where  X  e  Rn ,  u  e  Rm ,  ak  e  Rn  and  b} -,e  Rm  are  constant  vectors.  The  stabilization  control 

algorithm  is  a  linear  state  feedback  control  given  by  u  =  KX  .  Then  the  closed-loop  system 
becomes  time-invariant  and  the  constraints  on  control  variables  can  be  expressed  in  terms  of 
the  state  variables,  i.e., 

X  =  AX  with  constraints:  aTk  X  <  1,  k  - 1,...,  p  (Al) 

where  A  =  A  +  BK ,  ax ,  =  al , ,  ag+j  =  b] K,  i  =  1,...,  q,  j  =  1,...,  r,  and  p  =  q  +  r.  Then  the  ob¬ 
jective  is  to  find  the  control  gain  K  such  that  the  closed-loop  system  is  asymptotically  stable. 
Clearly,  there  are  infinite  many  Ks  will  do  the  work  as  long  as  all  the  eigenvalues  of  the  re¬ 
sulting  matrix  A  are  in  the  left  half  of  the  complex  plan.  To  establish  the  relation  between  the 
choice  of  K  and  the  stability  region  associated  with  the  control  using  K  as  the  control  gain, 
we  apply  Lyapunov  stability  analysis. 

Definition  Al:  The  system  in  Eq.  (Al)  is  quadratically  stable  if  there  exists  a  positive  defi¬ 
nite  matrix  P  >  0  such  that  the  quadratic  function  V(X)  =  XTPX  has  negative  derivatives 

along  all  the  trajectories  of  (Al). 

The  Lyapunov  stability  criterion  states  that  the  system  in  Eq.  (Al)  is  asymptotically  stable  if 
and  only  if  it  is  quadratically  stable.  Hence  it  is  sufficient  to  study  quadratic  Lyapunov  func¬ 
tion  for  the  stability  analysis  of  the  system  in  Eq.  (Al).  Since 

V  =  Xt(ATP  +  PA)X 

along  the  trajectories  of  Eq.  (Al),  we  conclude  that  the  system  in  Eq.  (Al)  is  asymptotically 
stable  if  and  only  if  there  exist  a  matrix  P  such  that 
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(A2) 


P>0,  ATP  +  PA<0  or  Q  =  P~l  >  0,  QA*  +  AQ  <  0 

Then  a  stability  region  S  of  Eq.  (Al)  can  be  defined  as  S  =  {X I X  T PX  <  1} .  Apparently,  any 
stability  region  has  to  satisfy  the  constraints,  namely,  every  point  inside  the  region  satisfies 
the  constraints.  The  following  result  establishes  the  conditions  for  S  to  satisfy  the  constrains. 

Lemma  Al:  Given  a  LTI  system  with  constraints  in  Eq.  (Al).  The  stability  region  S  of  Eq. 
(Al)  satisfies  the  constraints  in  (Al)  if  and  only  if  al P~1ak  <  1,  k  =  1,...,  p . 

Proof:  By  definition,  S  satisfies  the  constraints  if  and  only  if  aTkX  <  1  VX  e  S,  k  =  1,...,  p  . 
This  implies  that  S  satisfies  the  constraints  if  and  only  if 

max a[X  <  1,  k  =  1,...,  p  <=>  aTk  P~lak  <l,k  =  1,...,  p . 

Next  we  will  show  ma xff[  X  =  yjaf  P~]ak ,  Vfc  =  1,...,  p ,  which  implies  the  latter  condition. 
To  this  end,  we  solve  the  following  nonlinear  programming  problem  for  each  k=l,...,p: 

maximize  aTkX 
subject  to  XT PX  <1 

Let  X  be  the  optimal  solution.  Then  Kuhn-Tucker  conditions  are  satisfied,  namely 

al  -2XX*T P  =  0 
<  A(\-XTPX)  =  0 
X>0 


Apparently,  there  is  a  solution  only  if  X  >  0 .  Solving  above  equations,  we  obtain 
X*  =(p~')T ak/Ja[F\  =>  maxaTkX  =^aTkp-'ak 

Then  we  conclude  that  max  aTkX  <  1  if  and  only  if  al  P~xak  <  1  for  all  k=  1,. .  ,,p. 

Given  that  the  stability  region  is  not  unique,  we  are  interested  in  deriving  the  largest  S  subject 
to  the  constraints.  Since  each  stability  region  defines  an  ellipsoid  geometrically  in  the  state 
space  of  the  system,  by  the  size  of  a  stability  region,  it  is  meant  the  volume  of  the  ellipsoid. 
Maximizing  the  size  of  a  stability  region  is  carried  out  by  formulating  a  linear  matrix  ine¬ 
quality  (LMI)  problem,  which  is  described  extensively  in  [Boyd  94],  We  consider  two  differ¬ 
ent  cases.  First,  control  gain  K  is  given.  By  solving  a  LQR  problem,  a  control  gain  K  is  ob¬ 
tained  such  that  the  closed-loop  system  is  asymptotically  stable.  In  this  case,  the  system  in 
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Eq.  (Al)  is  completely  determined,  and  the  objective  is  to  find  a  matrix  P  such  that  the  size 
of  S  is  the  largest  subject  to  constraints  and  conditions  in  (A2).  Second,  control  gain  K  is  un¬ 
known.  Then  we  need  to  determine  matrix  P  and  K  to  maximize  the  size  of  S  and  subject  to 
conditions  in  (A2)  and  those  given  as  constraints.  The  resulting  stability  region  in  this  case 
will  be  the  largest  one  given  by  quadratic  Lyapunov  functions  among  all  possible  Ks  which 
render  the  physical  system  asymptotically  stable.  We  discuss  these  two  cases  separately  as 
follows. 

Case  1 .  When  K  is  given 

In  this  case,  matrix  A  is  completely  determined.  Since  the  volume  of  an  ellipsoid  given  by 
S  =  [X\XT  PX  <  1}  is  proportional  to  Vdet  P_1  ,  then  the  problem  of  maximizing  the  vol¬ 
ume  subject  to  constrains  can  be  formulated  as  a  LMI  problem: 

minimize  log  det  Q~x 
subject  to  Q  A  +  AQ  <0,  Q  >  0 
alQak  <1,  k  =  l,...,p 

This  problem  is  solved  by  Vandenbergh  et  al.  in  [Vandenberghe  98]. 

Case  2.  When  K  is  unknown  In  this  case,  K  needs  to  be  determined  along  with  matrix  P  to 
guarantee  asymptotic  stability  of  the  system  and  the  largest  stability  region,  subject  to  con¬ 
straints.  By  substituting  ~A  =  A  +  BK  in  the  derivatives  of  V,  we  obtain  the  condition: 

QAt  +AQ  +  QKtBt  +BKQ<  0 

By  introducing  the  change  of  variable  Z  =  KQ,  above  condition  becomes 

QAT  +AQ  +  ZTBT  +BZ<  0 


and  the  constraints 


b)u<\ 


bTjKQKTbj<  \  =>  b]ZQ~xZTbj 


1 

ZTb: 


bjZ 


<1,  j  = 


where  the  first  step  is  the  result  of  Lemma  (Al),  the  second  step  is  due  to  the  change  of  vari¬ 
able,  and  the  last  step  is  carried  out  by  Schur  complements.  Then  the  LMI  problem  can  be 
formulated  as: 
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minimize  log  detQ”1 

subjectto  QAt  +AQ  +  ZtBt  +BZ  <  0,  Q  >  0 
aTkQak  <1,  k=\,...,q 


>0,  ;  = 


r 


Again,  this  problem  can  be  solved  by  the  approach  developed  in  [Vandenberghe  98]. 

A3  Digitized  Control  Implementation 

Consider  a  linear  system 

x  =  Ax  +  Bu,  y  —  Cx 


where  *e  Rn,  ue  Rm,ye  Rp,Ae  Rnxn,Be  Rnxm,Ce  Rpxn .  Then  the  trajectory  of  the  sys¬ 
tem,  starting  from  x0  at  t0 ,  is  given  by: 


x(t)  =  eMl  'o)x(t0)+  f  eMt  T)Bu(z)dz 

J'o 

Let  t0  =  kT,t  =  (k  +  l)T ,  with  T  the  sampling  period.  Since  the  control  u(t)  =  u(kT)  for  all 
kT  <t  <(k  + 1  )T ,  x  at  ( k+l)T  is  derived  as: 


JT  (  rik+\)T  A((M)T-r)  ) 

x((k+l)T)  =  eATx(kT)  +  M  e  dz  \Bu(kT)  =  Fx(kT)  +  Gu(kT) 


AT  l 

with  F  =  e  ,  G  =  je  dz .  Suppose  a  linear  state  feedback  control  is  designed  as  in  the  sim¬ 
ple  form  u{t)  =  Kx(t ) ,  then  the  digitized  state  feedback  control  system  is  given  by 


x((k  +  l)T)  =  (F  +  GK)x(kT) 


A4  Delay  Caused  by  Digital  Filter 

A  digital  filter  can  be  described  as 

a0y(n)  =  b0  +  ^bkx(n-k)-^iaky(n-  k ) 

*=i  *=i 

with  *(•)  and  y(»)  the  raw  data  and  filtered  data,  respectively.  Design  of  a  digital  filter  can  be 
carried  out  directly  from  digital  design  by  using  certain  commercially  available  software 
package,  for  example,  Matlab  Signal  Processing  toolbox,  or  from  a  design  of  analog  filter. 
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Digital  Design 

By  making  use  of  Matlab,  a  digital  filter  is  designed  with  the  coefficients  ak  and  bk  as 


H{z)  = 


and  frequency  response:  H{eico)  =  *  - — — 

>  “  akz  ym 

j6—tk= 0  * 


Let 


nb  JX  JX  'ST'  ■ 

Br  =  ^bk  cos kco,  Bt  =  2_bk  sin kco,  Ar  =  2_,ak  cos kco.  A,  =  2_/ak  sin kco 

k= 0  k=  0  *=0  k=0 


Then  the  frequency  response  can  be  written  as 
H(eieo)  =  Hr  +  jHi  with  Hr  = 


+BiA 
A ]  +  A? 


H;  = 


bAzMl 

Af  +  Af 


Let/and  T be  the  sampling  frequency  and  period.  With  co  =  2n(  fs  / /) ,  the  delay  D  caused 
by  the  digital  filter  at  frequency  fs  can  be  computed  as 

D  =  (zH(eim)/27r)/fs  (seconds)  or  D  =  ((zH(eia)/27c)/ fs)/T  (sampling periods) 


Analog  Design  and  Digitization 

Let/be  the  sampling  frequency  and  Tbe  the  sampling  period.  A  digital  filter  can  be  designed 
from  an  analog  filter  by  applying  the  bilinear  transformation: 

2  1-z"1 

S  = - r 

T  l  +  z~l 

Suppose  an  analog  filter  is  given  by  transfer  function  H(s).  Then  a  digital  filter  can  be  ob¬ 
tained  from  this  analog  filter  with  the  frequency  response 

H(eJa,)  =  H(s) | 

5  Tl+e-i* 


and  the  delay  caused  by  the  filtering  can  be  computed  as  described  before. 

Example  Al.  Consider  a  first  order  Butterworth  lowpass  filter  with  cut-off  frequency 
fc  =  5 HZ  and  sampling  frequency  /  =  50HZ .  By  running  the  Matlab,  we  obtain  the  filter 
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coefficients  a0  =1,  a,  =  -0.5095,  b0  =  bx  =  0.2452 .  Then  the  magnitude  response  and  the 
phase  response  are  given  by 


_ 26, _ 

-^(1  +  a,)2  +(l-a,)2  tan2(<y/2) ' 


ZH(e“°)  =  -  tan-1 


(l-<2,)tan(ty/2) 

(!  +  «,) 


Figure  19(a)  shows  the  delay  as  a  function  of  the  signal  frequency.  For  instance,  the  delay  of 
a  signal  with  frequency  f s  =  4.1HZ  is  1.324  sampling  periods,  namely,  1-2  sampling  periods 

in  implementation.  This  is  verified  by  the  plot  in  Figure  19(b)  where  the  time  lag  between  the 
first  perks  of  the  signal  and  the  filtered  signal  is  20  ms  and  the  lag  for  the  second  perks  is  40 
ms. 


Figure  19:  (a)  Number  of  Sampling  Periods  Delayed  as  a  Function  of  the  Signal 
Frequency 

(b)  Signals  Before  and  After  Filtering 
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